PDF, 8.6 MB

Transcription

PDF, 8.6 MB

TOPICS
schadenspiegel
The magazine for claims managers
Issue 2/2014
Danger from the internet
Cyber risks are increasing and threaten many
companies with losses that are both diverse and
difficult to assess. Page 6
Third-party liability
Brain injuries in the NFL
Hail losses
Is there a risk of change?
Power plant construction
High quality standards
prevent losses
Editorial
Dear Reader,
The latest issue of Schadenspiegel focuses on the world of cyber risks,
such as data loss, data abuse and the liability questions these issues
involve. This emerging loss trend will soon be as much a part of everyday claims handling as geo risks, car accidents and fire damage. For
the insurance industry this means new challenges, which can only be
mastered with the latest expert knowledge and tailored solutions.
Of course, traditional risks will also remain as important as ever: for
example, the 2013 hailstorms in Germany left insurers with a huge
claims burden. But even a classic loss complex such as this may involve
new challenges, as damage to solar panels and today’s less robust
building insulation drives up losses. High-quality building standards are
therefore essential.
Ultimately, even a change in claims mentality is enough to bring about
new loss complexes. One example of this is the recent lawsuits by
professional athletes concerning the long-term effects of the repeated
concussions they suffered during their sporting careers.
I hope you enjoy reading this latest issue of Schadenspiegel.
Tobias Büttner
Head of Corporate Claims, Munich Re
NOT IF, BUT HOW
Munich Re Topics Schadenspiegel 2/2014
1
Sniffing out the hackers
At international hacker festivals like the “Campus
Party” in São Paulo in 2012, so-called white-hat
hackers discuss the latest trends. In spite of a
growing awareness on the part of companies,
the rising incidence of cases demonstrates the
resourcefulness and criminal energy that data
thieves possess.
2
6
Contents
German insurers had to pay out billions for
hail losses in 2013. Recent studies indicate
that the trend towards more severe hailstorms in Europe and North America is
likely to continue.
34
CYBER RISKS
“Thanks to the internet, anyone seeking to harm a
company today stands a good chance of succeeding” 6
The targets and methods of hackers are constantly
changing. A multi-tiered approach to security can
help to protect essential assets.
Cyber claims – The crime of our times? If you want to withstand cyber attacks, you need to
look beyond technological safeguards and consider
the human factor as well.
12
Defending the cyber borders How governments want to protect companies from
cyber attacks.
16
Costly cyber attacks on US retailers
The department store chains Target and Neiman
Marcus were the victims of massive client data
thefts – albeit with two very different outcomes. 18
The right protection against cyber losses
Hartford Steam Boiler’s products give insureds
peace of mind.
24
It is not unknown for young American Football players to suffer Alzheimer’s disease or
dementia following frequent concussions.
Ice hockey players and footballers also underestimate the risks involved.
26
THIRD-PARTY LIABILITY
Delayed knock-out A recent court settlement between the US National
Football League and former players has attracted the
attention of sporting leagues and insurers.
NATURAL HAZARDS
Severe hailstorms – A risk of change?
Large hailstones caused serious damage in Germany
in 2013.
Engineering
Critical interfaces High quality standards in power plant construction
projects help to prevent losses.
26
34
42
Editorial1
News4
Literature15
Column46
Imprint
3
NEWS
Knowledge in dialogue
Client seminar programme
2015
social media
INDUSTRIAL LIABILITY
CLIENT SEMINARS
Follow us on social media Are industrial companies
underinsured?
Knowledge in dialogue 2015
For some time now, readers have
been able to comment on Topics
Online articles on our website. But
you can also contact Munich Re on
various social media platforms: we
are on Twitter, Facebook, Google+,
YouTube, LinkedIn and Xing.
The international division of labour
influences liability practice throughout the world. Industrial accidents
and environmental scandals are
given much greater prominence
these days and can affect different
legal systems. It is not easy to obtain
an overview of local and global
responsibilities. In its new publication “Employers’ liability for occupational illness and injury – A familiar
risk in a changing world”, Munich Re
outlines different types of employers’
liability. A further brochure containing case studies on environmental
liability will be published shortly.
The new client seminar programme
“Knowledge in dialogue 2015” is
now ready. We will again be offering
our international clients an extensive
programme of seminars and workshops in the coming year. The avail
able courses will cover not only all
the important classes of business
but also specialist topic areas such
as financial lines insurance or enterprise risk management.
>>You can download our publication
“Employers’ liability for occupational
illness and injury – A familiar risk in
a changing world” from
connect.munichre.com or request it
from your Client Manager.
>>Contact your Client Manager for further
information.
Why not follow us – and keep up with
the topics that impact the insurance
industry? Read interesting articles,
watch fascinating videos or stay fully
up to date with live tweets from company and industry events.
>> twitter.com/munichre
>> facebook.com/munichre
>> youtube.com/user/munichrevideo
>> linkedin.com/company/munich-re
>> xing.com/companies/munichre
>> plus.google.com/
115897201513788995727
News in brief
On 24 September 2014, Dieter Berg, Senior Executive of
Business Development for the Global Marine Partnership,
was elected as the new President of the International
Union of Marine Insurance (IUMI) during the union’s
annual conference. Berg is the first president in IUMI’s
history to come from the reinsurance industry. IUMI was
founded in 1874 for the purpose of representing, safeguarding and developing insurers’ interests in marine and
all types of transport insurance.
4
Munich Re Engineering Newsletter: Our engineers support major projects all over the world, using their technical
expertise to assist clients in successfully completing projects and beyond. Read up on exciting engineering projects
around the world in our new Engineering Newsletter.
Subscribe to the free Engineering Newsletter at
http://www.munichre.com/en/service/engineeringnewsletter/index.html.
NEWS
Welcome to a brand new way of working:
connect.munichre – a safe place to develop
yourself and your business, optimise your
processes, and make rewarding connections.
Come and have a look around !
New marketing brochure for the client portal
connect.munichre.com
The new marketing brochure for connect.munichre
will show clients how to use project rooms for their
day-to-day dealings and for the secure exchange of
data. It also explains how they can speed up their
underwriting processes with our risk assessment and
rating tools such as MIRA and NATHAN.
the comfort of their own workstation. Recordings of
previous webinars are available in an archive. The processes for registering and for contacting experts at
Munich Re are very simple. All the necessary details
are provided in the brochure.
connect.munichre offers easy access to current research
articles, publications and policies, and enhanced
readability with the Flip Viewer. As a result, clients
can read up on the latest insurance news, browse
through our extensive range of training options at various locations or participate in live webinars, all from
>>For more information, please ask your
Client Manager or contact us online at
connect.munichre
5
CYBER RISKS
“Thanks to the internet,
anyone seeking to harm a
company today stands a
good chance of succeeding”
Cyber attacks are a growing threat to companies.
Florian Seitner from the Bavarian Office for the
Protection of the Constitution and Michael Hochen
rieder from HvS–Consulting, a provider of IT security
services, talked with Munich Re about costly losses
and complex risks.
Michael Lardschneider (Munich Re):
Cyber attacks causing costly losses
are becoming more frequent in many
branches of industry. Companies are
investing more and more in technical
infrastructure. Does this deter hackers?
Florian Seitner: Hackers are becoming more and more professional –
something that is also reflected in
the growing division of labour. As in
the world of business, more complex
programming tasks are outsourced,
with some groups of hackers even
working for both intelligence agencies
and criminal clients.
Lardschneider: Mr. Hochenrieder, as
a provider of IT security services, you
endeavour to find out how effective
your clients’ security measures are.
As part of your vulnerability analysis
and penetration tests, your job is to
try and steal the digital “crown jewels”. How do you go about this?
Michael Hochenrieder: We specifically launch our attack at a carefully
selected point in the network and
look to see how IT security staff and
systems respond: Do they raise the
alarm? Or can we move around freely
in the network for two or three
weeks, continuously skimming off
company data?
Companies tend to see attacks on
their own systems as an all-out declaration of war.
7
CYBER RISKS
Lardschneider: Companies are
becoming more aware that they are
all in the same boat. However, a great
deal of mutual trust is needed in
order to understand which attacks
have been launched and which
measures have been implemented.
Trust-based intercorporate bodies
are slow to emerge. This is also true
of collaborations with providers of IT
security services and product manufacturers. An extremely close and
trusting business relationship is
imperative if it is possible that the
service provider might also be working for the competition, for example.
Close cooperation with domestic
intelligence authorities is also important.
Seitner: Firms can work with us on a
confidential basis and receive support from the authorities in the event
of electronic attacks, without this
necessarily leading to criminal prosecution. Many firms, however, are
reluctant to call in the police. The
police are obliged to report such
cases to the public prosecutor on
account of the legality principle. As a
domestic intelligence authority, we
are not governed by this principle.
We guarantee the firms complete
confidentiality.
Lardschneider: Last year, US security
authorities informed 3,000 firms that
they may have been the target of cyber
attacks. Will such close cooperation
also become more common in Europe
and other regions in the future?
Michael Lardschneider is Munich Re’s
Chief Security Officer.
Lardschneider: What has been your
experience to date? Are the attacks
detected more quickly than in the
past?
Hochenrieder: No, on the contrary.
It takes longer now because the tools
used for genuine attacks have become
exceedingly sophisticated. And that
makes it very difficult to detect an
attacker who has the relevant technical knowledge.
8
Seitner: Our adversaries have the
advantage that they can learn from
their mistakes, as there is a chance
they may notice why their attack
failed. Next time around, they’ll have
better software and target a different
network.
Hochenrieder: In the end, we must
admit that, in this game of cat and
mouse, we usually come off second
best. We can only learn from an
attack after the event. Analysing the
attack is a lengthy process, during
which other companies may find
themselves under attack from a similar technology.
Seitner: We issue a security warning
if we detect an attack or hear of an
attack which, judging by its nature,
could affect more than one company.
Though the details are always
anonymised, our warnings describe
the attack in such a way that every
potential victim can take specific
action. Many firms have performed
tests on the basis of our warnings,
several of them uncovering attacks in
the process. Such cases are then
included in our assessment of the
current situation.
CYBER RISKS
Michael Lardschneider talking with
Michael Hochenrieder and Florian
Seitner.
On average, it takes 260 days
before an attack is actually discovered
by the company targeted.
Hochenrieder: In the case of specific
attacks, several different methods are
employed simultaneously. On average,
it takes 260 days before an attack is
actually discovered by the company
targeted. In some cases, the hackers
can lurk undetected in the corporate
network for several years.
Lardschneider: This can only be
revented if technology and human
p
intelligence operate in synch. A great
deal can be stopped through tech
nical measures, although this can
occasionally interfere with the
employees’ work flow. But they tend
to accept this if they understand why
certain functions have been deactivated. We also invest a great deal in
improving our employees’ know-how
and heightening their awareness of
the entire subject.
Hochenrieder: At the moment, we
are experiencing numerous spear
phishing attacks, targeted at specific
individuals. However, instead of
drawing blood, such attacks seek to
extract confidential data. Spear
phishing occurs, for example,
through e-mails referring to specific
job offers. Although the job offer
appears professional, the attachment
containing the CV or the linked website is actually infected. Hackers can
waltz in as soon as the attachment is
opened by a member of the personnel
department.
Lardschneider: Can you describe any
other loss scenarios?
Hochenrieder: If someone really
wanted to harm a competitor, he
could simply shut down all the competitor’s systems. That, however, is
usually detected and remedied fairly
quickly. Attacks are much more difficult to detect when, for example, they
involve the manipulation of financial
data or the marginal alteration of a
car maker’s dimensions for a milling
machine. Moving the decimal point in
a few figures or changing the date in a
few places is all that needs to be done.
The changes initially remain undetected, with fatal consequences for
the end product. Once the intrusion
has been detected, however, the targeted company must attempt
9
CYBER RISKS
to ascertain which data are still
intact. After all, it is impossible to
know how long the intruder has
already been inside the network,
which areas have been manipulated
and when. Checking the integrity of
all data can be a very complex and
costly process in the case of large
companies.
Seitner: I would even go one step further. What happens when processes
in a production facility are modified
by hackers so that something is
changed in a product – a drug for
example – unbeknownst to the manufacturer? The automotive industry
is another vulnerable sector: major
product recalls entailing complex
liability issues would cause considerable losses.
Michael Hochenrieder is Managing
Director of IT and information security
specialist HvS–Consulting.
Effective protection against hackers
and appropriate insurance cover will be
an invaluable competitive advantage for
companies in the future.
Bavarian Cyber Alliance Centre
The Cyber Alliance Centre (CAZ) within the Bavarian Office for the Protection
of the Constitution advises companies and research institutions, as well as the
operators of critical infrastructure, with regard to the prevention and analysis
of specifically targeted cyber attacks. It acts as a confidential liaison office and
central steering and coordination office in the fields of cyber espionage and
cyber sabotage.
Attacks are analysed by the CAZ in close collaboration with the Federal Office
for the Protection of the Constitution (BfV), the Federal Office for Information
Security (BSI) and other federal and state security authorities. The results are
evaluated and internally processed by the CAZ. Information is also made available in anonymised form to other potential victims of similar attacks, as well as
to the company directly affected.
10
Lardschneider: There is also an
increasing number of attacks which
are best described as cyber terrorism.
Seitner: Attacks of this nature are
primarily directed at critical infrastructure. For instance, if a single
CHP plant for a new development
area were hacked into, this could
possibly still be offset by the utility
company. However, if several CHP
plants with the same control system
were hacked into and then failed, this
could impact the entire system.
Lardschneider: Companies tend to
see attacks on their own systems as
an all-out declaration of war. For
them, there is more than just their
reputation at stake. Particularly in
the finance industry, customers are
paying more and more attention to
how companies handle their data
and whether they have already
become the target of an attack. For
companies dealing with confidential
data, however, this is also an excellent
opportunity to gain an edge over other
firms in the market by introducing
specific measures and suitable insurance cover.
CYBER RISKS
Hochenrieder: Companies must realise that they cannot protect everything,
particularly as targets and methods
are changing all the time. What they
need is a multi-tiered approach to
security, aimed at effectively protecting essential assets. Costs, benefits
and risks must be carefully weighed
up. This also includes made-tomeasure insurance cover for cyber
risks.
Lardschneider: How will cyber risks
develop in the coming years?
Seitner: Military conflicts will increasingly extend into cyber space and
this is a process which must be monitored very closely. Firms and public
authorities must also prepare themselves and establish a strong, broad
alliance based on trust and confidence. That is the only way to detect
electronic attacks more quickly, and
successfully avert them.
Hochenrieder: Companies need to be
flexible in dealing with the new situation. They can still protect themselves, but a new way of thinking is
needed. The strategy so far has been
to seek protection behind high walls.
But as we now know that’s no longer
enough, our new strategy is based on
the “onion peeling” principle, i.e. a
multi-layered approach. Raising
awareness among staff and administrators involved in information
security and cyber risks, and putting
early-warning systems in place, can
be achieved relatively quickly. On the
other hand, measures such as a precise segmentation of the networks,
safeguarding privileged accounts
and identifying, classifying and protecting the “crown jewels” take
longer, sometimes several years. It is
therefore important that companies
start today and at the same time
invest in appropriate cyber covers if
they want to be ready for the challenges of the future.
Florian Seitner from the Cyber
Alliance Centre at the Bavarian Office
for the Protection of the Constitution.
11
CYBER RISKS
Cyber claims – The crime of
our times?
Today’s digital connectivity has radically changed our lives. But it has also
given rise to a new type of crime. Cyber crime – criminal acts committed
via the internet for financial gain, political or espionage purposes – represent a risk we cannot afford to ignore. For the insurance industry, this creates an important opportunity to generate business and support society.
Helga Munger
Due to the fast evolution of digital technologies and
the fact that it is often easier to attack a system than
defend it, breaches and attacks are to some degree
inevitable. Yet as new as some aspects of these risks
are, one significant contributing factor has been with
us throughout: people themselves.
The insurance environment
Global premiums in 2014 for cyber risk insurance are
estimated at around US$ 2bn, a figure dwarfed by the
estimated cost of cyber crime – US$ 445bn. Accordingly, this is an area of great interest to many insurers.
As a broader range of companies become aware of the
risks and seek ways to handle and minimise the cost of
an attack, the market promises huge growth potential.
Of course, this is not an entirely new coverage, and a
number of risk carriers have accrued a great deal of
experience and expertise with it over the past decade.
Some have emerged as responsive providers, refining
their covers and offering specific policies to meet customers’ needs. Others are new to the market, with
their sights set on niche markets and the cyber risks to
the industries they are familiar with from other lines
of business.
From a claims perspective, both approaches share the
need for excellent communication between claims and
underwriting. Insurers and reinsurers benefit greatly
from the ability to respond to emerging issues quickly,
and alter approaches and wordings accordingly.
Cyber claims
Claims experience in recent years indicates that the
most publicised and higher-profile and -value losses
still emanate from the US, but not exclusively. Recent
losses such as Target and eBay hacking have been so
widely reported that awareness is unavoidable. A
broader range of businesses are considering how well
they would be able to respond if they were to fall victim
to an attack.
12
Data can be lost in many different ways.
Hacker attacks, the insertion of malware
and manipulated websites or e-mails are
among the most common forms of data
breaches.
The range and complexity of incidents are huge, from
a single lost laptop to the level of breach experienced
by Sony, TJX, Target and eBay. They are frequently not
initially detected by the victims themselves, with
companies often first hearing of a cyber attack when
notified by authorities or when unusual activity is
seen in the accounts of their customers. Many of the
high-profile breaches appear to have been publicised
in blogs in advance of formal notices by the company.
Malware attacks are not just issues for large retailers,
although they are most certainly a lucrative target for
cyber criminals. Small to medium-sized enterprises
(SMEs) are also at risk, as a breach at Staysure Insurance UK has made clear.
CYBER RISKS
Staysure, a specialist broker of insurance travel products for the over 50s, had to contact 93,389 customers
after the attack. The insurer believed that hackers
may have stolen sensitive code numbers from policyholders’ cards. Fortunately, the company was able to
state publicly that it had appropriate insurance cover,
which enabled the company to manage the breach
effectively and communicate with all the necessary
authorities promptly.
On a global scale, most victims discovered the eBay
breach by way of media coverage, with information on
the company’s website following. eBay asked 233 million customers to change their passwords. The online
retailer is keen to say that no financial data were taken,
but there may have been risks to customers who use the
same passwords on multiple sites. The stolen information was of great value, as it included postal
addresses, e-mail addresses, phone numbers and
dates of birth. The risks are not limited to the internet,
as a number of banks use address and date of birth in
the verification process for their telephone banking
services.
At the other end of the technological spectrum was a
further data breach reported to the UK’s Information
Commissioner’s Office (ICO): a filing cabinet containing sensitive government documents was brought to a
second-hand furniture auction. More recently, a police
authority was fined for leaving sensitive interview tapes
and confidential information behind in a building it had
vacated. Such data breaches are small-scale, but nevertheless relevant from a claims experience perspective.
The issues relating to denial of service attacks can be
difficult for a smaller company to address. Getting a
website and potential online sales back up and running
after such incidents can be costly and time-consuming,
but professional data mitigation companies have provided excellent solutions in claims from this type of
attack. These services have included scrubbing data
and sending them back to the right site, with some
delay for the customer, but maintaining the overall
level of service and mitigating loss of sales and business interruption costs.
Legislative environment
The overall legislative environment is currently complex and unclear. This is an evolving area with European developments moving at a glacial pace through
the attempts to pass binding regulation for all member states (see the article by Patrick Hill on page 16).
In the US, though seen at the forefront of the highestprofile cyber attacks, there is also a lack of uniformity
between various states. Many specify their definition
of personally identifiable information (PII) differently,
and outcomes have varied. On balance, good arguments
remain that the loss of data in itself does not constitute
an injury unless specific warranties have been provided. This is expected to continue to be challenged
by the plaintiffs’ bar.
Most (but not all) states have mandatory breach notification requirements, but there are fewer similarities
in the definition of what constitutes a breach. As an
example, 29 of the country’s 50 states exempt encrypted
personal data from mandatory breach notification.
Every breach is different
Professional attacks
– Hacking or malware
– Phishing and pharming
– Intentional breach of information
(employees, contractors)
– Payment card fraud
Inadequate security and access controls
– Unencrypted card details (CVC Code)
– Simultaneous use of same login
– Failure to update systems
Lost in transit
– Back-up tapes being sent to storage
– Transfer of equipment
– Improper disposal
(paper, e-waste)
Misadventure
– Unintentional disclosure
– Portable device lost or stolen
– Stationary device stolen
– Data is transferred to employee’s device
13
CYBER RISKS
Disclosure of healthcare information is seen as a
greater risk, and specific penalties apply to the incorrect release and publication of this, with significant
costs to providers. This again underscores the need
for companies to partner with sophisticated and
knowledgeable service providers who can help them
to navigate through these complexities.
Cyber awareness starts with top management
Awareness is a good start, but is it enough? A recent
UK government study indicated that the majority of
participating FTSE 350 companies’ boards and audit
committees felt that they took cyber matters very
seriously (64%). That may sound encouraging but for
the fact that less than 50% of the board chairs said
they felt that their boards had a clear understanding
of the impact of data losses.
Many cyber risk factors are directly influenced by topmanagement decisions, including a company’s own
governance as well as its choices of partnerships and
suppliers. The risks are further magnified for those
that outsource and contract out sensitive tasks.
A challenge and an opportunity
Naturally, insurers and reinsurers receive cyber claims
from those stakeholders that have recognised the risks
and taken steps to protect themselves. Clearly, these
are likely to represent a more risk-conscious group.
Nevertheless, a broader awareness of cyber risks can
be expected to emerge. As an understanding of the
risks deepens, the insurance community can make a
contribution by offering targeted covers and professional
support both by way of preparation and vigilance prior
to a breach and top-quality breach-response teams in
the wake of an attack.
If there were to be just one claims message to deliver
based upon our experiences at this time, it would be
that the speed and quality of the teams appointed following a breach is the single greatest factor in managing cost and reputational damage following an attack.
As experts in managing risks, insurers can play a
major role in handling cyber risks to support clients
and also profit from this growing market.
Claims have already been instigated against directors
and officers in connection with conduct that may have
led to or exacerbated a breach. There are no outcomes
as yet in these publicised cases, but they deserve close
attention.
Our Expert
Helga Munger is a senior legal
counsel for casualty claims in
Global Clients/North America.
[email protected]
14
literature
Employers’ Liability and Workers’
Compensation
Ina Ebert
In the study “Employers’ Liability and Workers’ Compensation”, commissioned by the European Centre of Tort and Insurance Law (Ectil) in
Vienna, experts from the respective markets discuss the compensation paid to employees for occupational illness and injury in twelve
countries: Germany, France, England, Italy, Denmark, the Netherlands,
Austria, Poland, Romania, Australia, Japan and the US. The various
national models – exclusive employers’ liability, combinations of
employers’ liability and workers’ compensation, the (almost) total
transfer of compensation from liability law to alternative compensation systems – are described in detail, highlighting the respective
advantages and disadvantages.
The shift in the functions which each of these forms of compensation
for employees must fulfil emerges clearly from the study. Originally,
the focus was on compensating workers injured as a result of accidents. Taking care of employees with occupational diseases subsequently gained in importance. This raised a multitude of new problems, from causality and the question of limitation periods for long-tail
claims (consequential claims due to asbestos being the best example
of this), through the consequences of an employer’s insolvency, to distinguishing between occupational psychological disorders and those
attributable to other causes. More recently – particularly in the US, but
to a growing extent in Europe, too – employers’ liability has also played
a role in cases of discrimination, and moral and sexual harassment.
This is a useful and interesting book for anyone involved in insuring
risks in the field of tension between labour law, social insurance and
liability law, whether at a national or international level.
Ken Oliphant, Gerhard Wagner (Eds.):
“Employers’ Liability
and Workers’ Compensation”
De Gruyter
Berlin/Boston 2012
15
CYBER RISKS
Defending the
cyber borders
Concerns about cyber attacks are forcing
governments and companies to take action.
Patrick Hill
Data protection and privacy is one important element
of cyber risk, and there have been a number of recent
government initiatives and legislative developments
across the world which highlight the desire of legisla
tors to raise standards of data security and privacy
across the board.
Government initiatives
In the UK, Prime Minister David Cameron has pledged
£1.1bn to tackle the “unseen enemies” of cyber crime
and cyber terrorism. He acknowledged that it is no
longer possible to “defend the realm from the White
Cliffs of Dover”, and this investment is the latest
aspect of the UK government’s drive to improve cyber
security and protect critical national infrastructure
from cyber attacks. His announcement comes shortly
after the launch of the UK government’s Cyber Essen
tials scheme, which is designed to encourage all busi
nesses, big and small, to properly consider and mitigate
their exposure to cyber risks.
This was followed by a summit in November 2014
hosted by Francis Maude, Minister for the Cabinet
Office with responsibility for the UK Cyber Security
Strategy, for CEOs from the UK’s insurance sector.
This marks closer collaboration between the UK gov
ernment and industry to help promote the growth of
the cyber insurance market as a means of improving
cyber security risk management, The insurance sec
tor is in a strong position to drive improvements in
cyber security risk management by asking the right
questions of customers in relation to their cyber breach
16
and operational risk policies, and also by helping their
policyholders in the wake of a data breach incident
through the provision of expert advice and assistance.
In the US private sector, major Wall Street banks are
proposing a cyber war council to defend against
future cyber attacks following concerns that their sys
tems may not repel or recover from a significant
attack. Their concerns include the possibility that a
cyber attack on the electrical grids on which financial
markets rely could cause widespread panic and trigger
runs on banks. The “cyber war” rhetoric is an acknow
ledgement that the impact of cyber threats can be
just as catastrophic as physical threats.
Whilst it remains to be seen whether these initiatives
will be successful in bolstering cyber security, they
will at least publicise the risks and the importance of
taking appropriate mitigation strategies.
EU legislation
The European Union (EU) is also taking cyber security
very seriously. The European Commission plans to
unify data protection within the EU with a single law,
the General Data Protection Regulation (GDPR). The
current EU Data Protection Directive does not consider
important aspects like globalisation or technological
developments such as social networks and cloud
computing sufficiently, so the EU decided that new
guidelines for data protection and privacy were required.
Therefore, a proposal for a regulation was released on
25 January 2012.
CYBER RISKS
Subsequently, numerous amendments have been pro
posed in the European Parliament and the Council of
Ministers. The European Parliament has formally
adopted the compromise text that the LIBE Committee
adopted in October 2013. The regulation must now be
adopted by the European Council comprised of all
28 EU member states. As the Council has not yet
agreed upon a common position on the reform of data
protection law, the regulation is now unlikely to be
adopted before early 2015. The regulation is planned
to take effect after a transition period of two years.
With 28 individual states, there is always a risk of dif
ferent interpretations of the regulations, which could
lead to different levels of privacy across the EU. In
addition, the variety of security and privacy standards
throughout the EU member states is likely to mean
that, for some, dramatic changes will be required.
Whilst undoubtedly well intentioned, there is still
some way to go before the GDPR is brought into force
throughout the EU, and it remains to be seen in pre
cisely what form.
The proposed new EU data protection regime extends
the scope of the EU data protection law to all foreign
companies processing data of EU residents. It provides
for a harmonisation of the data protection regulations
throughout the EU, thereby making it easier for nonEuropean companies to comply with these regulations.
However, this comes at the cost of a strict data pro
tection compliance regime, with severe penalties of
up to 2% of worldwide turnover or €1m. The European
Parliament has suggested fines up to €10m or 5% of
global turnover.
There are a number of practical and logistical difficul
ties with the proposed regulations, not least that the
European Commission and local Data Protection
Authorities (DPAs) will require sufficient resources and
power to enforce and police the regulations. There is
already a lack of privacy experts and knowledge, and
new requirements might worsen the situation. It is
expected that the DPAs will suffer language and staffing
difficulties. Therefore, education in data protection
and privacy will be a critical factor for the success of
the GDPR.
Our Expert
Patrick Hill is a partner in the
London office of international
law firm DAC Beachcroft LLP.
[email protected]
17
CYBER RISKS
Cyber attacks on
US retailers
In the middle of the 2013 Christmas shopping
season, hackers infiltrated the retail chain
Target and luxury retailer Neiman Marcus. In
total, credit card and bank card data belonging
to 110 million customers were stolen.
Nils Diekmann and Andreas Schlayer
The last week before Christmas is the most lucrative
of the year for retailers. Customers swarm into the
stores, paying for their purchases with bank cards and
credit cards. On 18 December, rumours spread on the
internet that the retail chain Target had been hacked.
Not just one store, but all its 1,797 US and 124 Canadian stores were believed to have been attacked.
One day later, Target confirmed the rumours. It seems
that, between 27 November and 15 December 2013,
hackers stole the data records of around 40 million
credit cards and bank cards through the credit card
payment terminals. The stolen data included such
customer details as name, address, card number, card
expiry date and even the encrypted card validation
code, the CVC. Nobody knew who was responsible for
the attack and how they had done it.
Discovery of the loss
Target immediately launched an investigation into the
incident. The next day, it was able to confirm that at
least the customers’ social security numbers and
dates of birth had not been stolen. Two days after this,
the banks began to take action: on 21 December, JP
Morgan Chase announced that daily limits had been
placed on the affected customers’ cards and that new
cards were being issued.
About three weeks later, Target published an interim
report on its investigation. In addition to the 40 million credit card and bank card data records, such data
as the names and addresses of a further 70 million
customers had also been stolen. All in all, hackers had
stolen data belonging to 110 million customers. While
this news was hitting the headlines, a report by
another retailer went all but unnoticed: luxury retail
chain Neiman Marcus had also fallen victim to a criminal attack shortly before Christmas. At first, everything seemed to indicate that this was a targeted
attack, launched by the same group of hackers. Here
A Target store in Westbury, New York,
on 23 November 2012.
19
CYBER RISKS
too, the Neiman Marcus credit card payment terminals
were hacked in 77 of its 85 stores and credit card data
as well as customer data stolen. According to Neiman
Marcus, over a million customers were affected.
Reconstruction of the events
The hackers who infiltrated Neiman Marcus evidently
had both specialist know-how and patience on their
side. To avoid detection, the hackers proceeded in
almost imperceptible steps. They moved around in
the internal Neiman Marcus network for about eight
months, during which time they triggered roughly
60,000 security warnings in the system, according to
a company spokesperson. Despite this, Neiman Marcus did not suspect a concrete attack, as the warnings
had been triggered by the internal cash register system and no problems had been identified. The hackers had simply named the malware the same as the
cash register system program and were thus able to
move about unnoticed.
A store of the luxury retail chain
Neiman Marcus in Golden, Colorado,
on 23 January 2014. Credit card and
customer data were stolen from 77 of
the chain’s 85 stores.
Losses frequently far exceed clients’ insurance cover
200
160
170
Overall losses
Insurance payment
170
150
120
TJX Companies (2007):
Data of 45.6 million credit cards and bank
cards stolen
80
40
0
30
30
5
TJX
Heartland Payment Systems
Sony Corp.
Figures in US$ m
Heartland Payment Systems (2007):
Data of 130 million credit cards and bank
cards stolen
Sony Corporation (2011):
Theft of data belonging to 77 million
Playstation Network (PSN) users
Source: U.S. Securities and Exchange
Commission
20
CYBER RISKS
The investigations at Target revealed that hackers had
accessed the technical system using identities stolen
from a service provider for heating and ventilation
systems. Even though the service provider merely had
access to the accounting and order management system via Target’s extranet, a misconfiguration in the
system enabled the hackers to penetrate deeper and
deeper into the internal network and ultimately install
their malware in the credit card payment terminals.
The repercussions: Class actions and loss of profits
Since early January 2014, Target has been confronted
with a number of class actions. Towards the end of
March, Target’s IT service provider Trustwave also
came under scrutiny from the banks. The two banks
Trustmark National and Green Bank are demanding
compensation amounting to US$ 5m from Trustwave.
Replacing customers’ credit cards and bank cards is a
costly matter for the companies. By mid-August 2014,
banks had issued some 22 million new bank cards
and credit cards as a result of the Target affair. At an
average cost of around US$ 10 per replacement, costs
are likely to be in the region of US$ 220m. Some US
banks are therefore seeking to recover additional
costs from Target for the extra expense incurred for
customer service.
The cyber attack also impacted Target’s management
and its balance sheet. In March, CEO Gregg Steinhafel
announced that the CIO (Chief Information Officer) and
CISO (Chief Information Security Officer) were to be
replaced. Steinhafel himself then resigned in mid-May.
He had led Target for 35 years. He received a US$ 21.1m
pay-off.
The impact of this cyber attack on the balance sheet
cannot be viewed in isolation. For the fourth quarter
2013, however, Target reported a 46% drop in sales as
compared to the previous year’s result. Although Target
shares had been slipping since mid-November 2013,
their value tumbled by more than 13% in the period
from 18 December 2013 to 4 February 2014. Since
then, the share value has steadily risen again. In its
quarterly report for QII/2014, Target reports a loss of
US$ 148m due to the cyber attack.
Similar attacks – Different consequences
These two cases show that similar attacks can have
very different consequences. This is due not only to
the companies’ different technical security precautions, but also in many cases to a particularly unfortunate sequence of circumstances, such as the time at
which the attack is reported.
Attacks are becoming technically more sophisticated
Frequency of attacks
State organisations vs.
industrial corporations
Hacktivism
Know-how
attackers
need
Capital crimes
States vs.
states
Pranks 419s Frameworks
Crimes
Availability of highly
developed attack tools
and know-how of the
attackers
Professionalism and motivation of hackers
in recent decades: instead of breaking into
systems to draw attention to weak points
as in the past, cyber attacks today aim to
damage entire industries and national
economies.
Sources: Munich Re, Symantec, MIT
Computer
clubs
Telephone Hacking
“Phreaking”
Hacking
1970 1980 1990 20002010
21
CYBER RISKS
The management, CEO and balance sheet of Neiman
Marcus came away from their cyber attack with a
much smaller loss than Target. In the second quarter
of 2014, Neiman Marcus reported that the attack had
cost US$ 4.1m for legal advice, forensic investigations, customer communications and credit monitoring. One explanation for this relatively modest figure
may be that the Neiman Marcus case was conveniently eclipsed by the media interest aroused by Target
and the much smaller loss of data involved.
Public attention was more focused on the Target
attack and the much larger number of customers
affected. Both attacks sought to manipulate the credit
card payment terminals, although the way they went
about this was very different. They first obtained
access to the network before systematically seeking
out and exploiting individual weaknesses to reach
their goal.
Though security systems are being upgraded on a
grand scale, these days companies must always
remain alert to the possibility of a successful attack
and take precautions to prevent potential losses. A
study has shown that cyber crime causes firms
annual losses amounting to hundreds of billions of
dollars.
Demand for cyber covers will rise
The case of Target – which had to shoulder threequarters of its high loss amount itself – highlights the
urgent need for separate covers.
Instead of including cyber risks in regular property
and liability policies, they should be covered under
special cyber policies precisely tailored to the individual risks involved. Many cyber covers include components from property and casualty. This is often necessary, as in most cases the individual components not
only affect the company directly (for instance in the
form of a business interruption) but can also give rise
to further costs through claims for damages.
The challenge when designing products to cover
complex cyber risks is therefore to identify the risks of
relevance to the client and their impact, and to find
appropriate individual insurance solutions.
A further cyber attack on the US retail trade was
reported in mid-September. The victim this time was
the DIY chain Home Depot. Here too, the payment
system was hacked and data from 56 million cards
were stolen. According to initial estimates by the
management, losses from the attack are expected to
be in the region of US$ 60m, US$ 27m of which will
be borne by insurance.
OUR EXPERTS
Nils Diekmann is an underwriter
for cyber risks at Munich Re.
[email protected]
Andreas Schlayer is head of the
Information Technology Topic
Network and an underwriter in
Special and Financial Risks.
[email protected]
22
Risk, Liability & Insurance
Our “Risk, Liability & Insurance” series explores fundamental issues of
liability law and its significance for the insurance industry. Analysing the
effect social influences have on insurance and tort law practice is an
important part of this process.
The publications in this series are now available in a brand new format:
−−Non-objectifiable diseases
−−Compensation for pain and suffering
−−Tort law and liability insurance
−−Asbestos – Anatomy of a mass tort
To obtain a copy of any of these publications, visit our client portal
connect.munichre.com or contact your Client Manager.
not if, but how
23
CYBER RISKS
The right protection against
cyber losses
There were more than 2,000 major cyber incidents in 2013 in
the US alone, resulting in the exposure of nearly 823 million
records. Insurance cover from Hartford Steam Boiler can help
to reduce the financial risks involved.
Kenneth Williams, Hartford Steam Boiler
Identity Theft Recovery
Hartford Steam Boiler Inspection and Insurance
Company (HSB), a Munich Re company, has developed
several insurance products designed to address the
risk of cyber attack and create peace of mind for our
personal and commercial lines policyholders. HSB’s
cyber risk products include Identity Theft Recovery
and Data Compromise and the CyberOne insurance
product.
Identity Theft Recovery (IDR) coverage provides case
management services and expense reimbursement to
individuals who are victims of identity theft. Among
the services provided are professional identity restor
ation services, legal fee reimbursement and the reim
bursement of out-of-pocket costs.
Our IDR coverage recently responded to an elderly
couple who noticed that their monthly social security
cheques were not being deposited on time in their
bank account. They called the social security admin
istration and learned that their cheques were being
forwarded to another account, allegedly per the
insureds’ direction. The insureds had not authorised
the transfer or opened the fraudulent account. They
reported the loss to HSB under their IDR coverage.
HSB retained legal counsel on the insureds’ behalf,
employed the service of an identity restoration vendor
and instructed the insureds to notify the local law
enforcement authorities. In time, legal counsel per
suaded the receiving bank that the transactions were
fraudulent and the bank refunded the insureds’ money.
24
The restoration vendor placed credit alerts on the
insureds’ credit reports and worked with credit report
ing agencies to remove the fraudulent account from the
insureds’ credit reports.
Protecting commercial clients
The loss, theft or inadvertent publication of personally
identifiable data by a commercial insured can result
in a coverable loss under HSB’s Data Compromise
coverage. The data subject to this coverage can exist
either electronically or in a tangible form such as
paper. Coverages can include a forensics information
technology vendor to discover the nature and extent
of the data breach, counsel to provide legal guidance,
notification to affected individuals’ credit monitoring
and public relations services.
A recent HSB claim involved both documents and an
employer-supplied desktop computer stolen from a
medical transcriptionist’s home. The computer and
paper files contained personally identifiable patient
data. The transcriptionist would pick up paper files
weekly from the insured’s medical office and take them
home, where she would transcribe them into elec
tronic form. As the transcriptionist was an employee
of the doctor, the data never left the possession or
control of the insured.
Burglars broke into the transcriptionist’s home and
stole the computer and 120 paper files of patients. The
information contained in the stolen items included
names, addresses, dates of birth, social security num
bers, account numbers and HIPAA-protected informa
tion on the medical conditions of the patients. HSB
worked with the insured to identify the 120 patients
CYBER RISKS
concerned and to obtain full names and addresses.
The insured retrieved the data from the desktop from
a back-up device. This saved the cost of a forensic
information technology review. HSB worked with a
data recovery and identify restoration vendor to notify
and provide services to the affected individuals. Our
adjuster monitored the vendor and apprised the
insured regularly of the claim’s progress and promptly
reimbursed the insured’s covered expenses. HSB
closed the case six months later, having satisfied all
the requirements of state law, secured the identities
of the patients and restored confidence in the insured’s
business practices.
Malware threats
HSB’s CyberOne first-party coverage can be triggered
by a computer attack in the form of hacking, malware
or a denial of service attack, among other things.
Third-party coverage is triggered by a network secu
rity liability suit alleging breach of third-party busi
ness data, unintended propagation of malware or
unintentional participation in a denial of service
attack. HSB designed this coverage to restore or
recreate data, systems and software. In addition, it
may cover business income loss, public relations
expenses and legal defence costs, judgements and
settlements.
As an example, HSB’s CyberOne coverage would
respond to a commercial insured who experienced a
malware event in which large amounts of data were
stolen. The stolen data include both personally-identi
fying employee information and proprietary design
information belonging to the insured’s customers. A
customer of the insured whose data was breached
files a lawsuit against the insured.
HSB’s CyberOne coverage would assist with the costs
of responding to the breach of personal information
and provide defence and liability coverage in connec
tion with suits brought by individuals whose person
ally-identifying information was breached. It would
also provide defence and liability coverage in connec
tion with suits brought by businesses whose proprie
tary information was breached.
The modern fluidity of personally identifiable data
means that opportunities abound for data to be lost,
stolen, hacked or even held hostage. Most of our
insureds take all reasonable and necessary action to
protect data in their possession and control from such
hazards. But when all reasonable and necessary
actions do not work, HSB’s cyber risk products are
there to help.
Our Expert
Kenneth Williams is Vice Presi
dent of the Specialty Claims
Unit at Hartford Steam Boiler
Inspection and Insurance Com
pany (HSB).
[email protected]
25
Delayed knock-out
Serious blows or even minor jolts to the head
may cause severe long-term neurological consequences. The recent concussion settlement in the
US between the National Football League (NFL)
and former players has attracted the attention of
sporting leagues, athletes and insurers.
Travis D. Coleman
In the US, no other sport enjoys the same widespread
popularity as football, a game which owes much of its
attraction to the extreme physical demands placed on
its athletes. Injuries are inevitable, and players have
been known to continue playing even when severely
injured. A class action lawsuit was filed against the
NFL in 2012 by more than 4,500 former football players seeking compensation for the consequences of
concussion-related injuries. As a result, the NFL had
to confront the players’ allegations under intense
media scrutiny. The NFL class action litigation has
brought public awareness to the dangers of concussions and spurred similar litigation against other
sporting leagues and associations.
Litigation continues despite settlement
In August 2013, the NFL and its former players agreed
to a US$ 765m settlement. Initially, the 2013 settlement was not approved by the trial court and the parties were instructed to revisit their reported settlement and the capped compensatory injury benefits
specified in the settlement. A revised settlement
proposal, which could encompass as many as
20,000 retired football players valued at over
US$ 900m, was submitted to the court in July
2014. The new settlement agreement provides
uncapped compensatory damages for players
with specified neurological symptoms estimated
to be US$ 675m. This portion of the fund is
designed to make payments based on various
factors such as the player’s age and illness. Furthermore, the settlement included US$ 75m for a
medical testing programme, US$ 10m for an educational fund and US$ 112m to plaintiffs’ counsel.
Despite this settlement proposal before the court,
some players have chosen to opt out of the settlement class and pursue their own lawsuits.
Apart from former professional football players, a
similar class action lawsuit was filed in November
2013 by former National Hockey League (NHL)
players. The NFL and NHL lawsuits have likely had
a strong influence on how the other main sporting
leagues in the US address concussion policy.
A professional football player will receive
an estimated 900 to 1,500 blows to the
head during a season. The impact speed of
a moving player colliding with a stationary
player can be up to 40 km/h.
27
Lawsuits have also started to emerge, seeking
accountability from the organisers of college and high
school sports, municipalities, manufacturers of safety
equipment, coaches and medical staff. Although only
so-called “contact sports”, e.g. football and hockey,
originally received attention concerning concussions,
the seriousness of the issue has quickly drawn the
attention of organisers and parents of athletes participating in other sporting disciplines, such as baseball,
basketball and soccer. Off the playing field, concussions have drawn the attention of the United States
Department of Defense, as many of its soldiers have
sustained concussions.
The nerve cell
of a brain
Cell body
Impact on the nerve cells
Multiple concussions can cause
the nerve cells to fall apart. Tau
proteins, the substances that
stabilise healthy nerve cells,
accumulate in the brain, forming
clumps.
Rotational
impact
Axon
Even light blows are dangerous
Current research increasingly indicates that frequent
blows or jolts, particularly to the head, can cause
irreparable brain damage and have a serious impact
on health. However, single violent blows to the head
are not the only danger. The cumulative effect from
repeated blows to the head of a football player over
his career can be serious. Concussions are often
referred to as mild traumatic brain injuries, that typically occur following a fall or blow to the body when
the head is simultaneously exposed to high acceleration forces.
Symptoms of concussion
– Impaired consciousness
–Headache
– Dizziness, balance dysfunction
–Squinting
– Unequal pupil size
– Cramps or other neurological deficits
– Nausea and vomiting
– Loss of consciousness
– Impaired word recall (amnesic aphasia)
– Memory lapses (amnesia)
– Visual hallucinations
In such cases, the cerebral fluid cannot adequately
absorb the trauma and the brain collides with the
skull. The United States Center for Disease Control
(CDC) has published the following figures relating to
injuries and symptoms:
−−According to official estimates, between 1.6 and
3.8 million concussions occur in the United States
each year.
−−5–10% of athletes will experience a concussion in
any given sport season.
−−Fewer than 10% of sport-related concussions
involve an impairment of consciousness, such as
blackouts or seeing stars.
150g impact
When two players collide in American
Football, the impact to the head can
be as much as 150g (one g equals the
force exerted by gravity). By way of
comparison, the impact from a professional boxer’s punch is between
10 and 20g.
−−Football is the sport with the highest concussion
risk for males (75% risk).
−−Soccer is the sport with the highest concussion risk
for females (50% risk).
−−78% of concussions occur during games, as
opposed to training sessions.
−−Some studies suggest that females are twice as
likely to sustain a concussion as males.
−−Headache (85%) and dizziness (70–80%) are the
symptoms most commonly reported by athletes
immediately after sustaining a blow to the head.
28
Impact
Concussion
The brain is well protected. The hard cranium provides protection from mechanical injuries. The cerebral fluid and the three
meninges absorb the effects of jolts. However, a sufficiently
strong blow can cause craniocerebral injury (CCI), more commonly known as concussion. Common causes of concussion
include road accidents, sporting accidents and accidents in
the home. It is characterised by an injury to the skull, including
the brain.
Cranium
Damaged
blood vessel
Brain
Liquor
Injury
Shock wave
Brain damage
The brain floats within a kind of fluidfilled chamber. Due to the inertia of
the brain, a jolt or a blow to the head
initially causes it to hit one side of the
skull, following which it frequently
rebounds and slams into the other side.
Millions of nerve cells are damaged by
the jolt and the impact, causing small
injuries in the nerve tracts. If the
trauma is severe, blood vessels in the
brain may even rupture, resulting in a
cerebral haemorrhage. In a nerve cell
which has been subjected to such a
trauma, the electrical impulses may
be interrupted, killing the cell. Neighbouring nerve cells then begin to shut
down as a protective response. The
more cells are destroyed, the greater
the likelihood of such symptoms as
impaired consciousness, dizziness and
memory lapses. Multiple concussions
can cause the nerve cells to die off.
29
Recently, new imaging techniques have
been used to find evidence of CTE in living
persons. Most promising is the Positron
Emission Tomography (PET) using a newly
developed radiopharmaceutical marker
([18F]FDDNP). The scan lit up for a pathologic protein in the brain, the so-called Tau
protein. The protein was concentrated in
areas that control memory, emotions and
other functions – a pattern consistent with
the distribution of Tau in CTE brains that
have been studied following autopsy.
−−Around 47% of the athletes do not experience any
symptoms.
−−A professional football player will receive an estimated 900 to 1,500 blows to the head during a season. The impact speed of a moving player colliding
with a stationary player can be up to 40 km/h. By
way of comparison: a professional boxer punches
with an impact speed of over 30 km/h, while a
firmly struck soccer ball strikes the player’s head
with an impact speed of over 100 km/h.
Although the symptoms of concussion are numerous,
they can be roughly subdivided into four categories:
impairment of the ability to think and remember (e.g.
difficulty in thinking clearly or concentrating), physical consequences (e.g. headaches or vomiting), fluctuating emotions or moods (e.g. sadness or irritability)
and abnormal sleep patterns (e.g. sleeping too much
or not enough). Some symptoms may be immediately
apparent, while others only emerge days or months
30
later. Diagnosing a concussion can often be difficult
since an injured person may appear to be physically
sound when they are in fact experiencing adverse
mental trauma.
Research findings show that multiple concussions
can have serious long-term repercussions. These
include the development of mild cognitive impairments (MCIs), chronic traumatic encephalopathy
(CTE) or post-concussion syndrome (PCS). In the
litigation against the NFL, several players also cited
such diseases as Alzheimer’s, Parkinson’s or amyotrophic lateral sclerosis (also known as ALS or Lou
Gehrig’s disease), claiming to have developed these
conditions as a result of multiple concussions.
Although many claimants did not display any symptoms of these diseases, the NFL players contended
that they were at an increased risk of developing them
and should likewise receive compensation for medical
monitoring expenses.
Degeneration of the brain
Since the 1920s, CTE has been known to affect boxers. CTE is a trauma triggering a progressive degeneration of the brain tissue. These changes in the brain
can begin months, years, or even decades after the
last brain trauma and hence when all active athletic
involvement has ceased. Degeneration of the brain is
associated with memory loss, confusion, impaired
judgement, impulse control problems, aggression,
depression, and, eventually, progressive dementia.
CTE is also suspected of having been a factor in a
number of suicides by former NFL players. Although
the link between concussion and suicide is contro
versial, a study published by the journal “Brain” in
December 2012 claimed that evidence of CTE had
been found in the brain tissue of 33 out of 34 professional football players after they died.
Claimants in the litigation against the NFL contended
that NFL officials knew for decades of the harmful
effects of concussions, but concealed these facts
from coaches, players and the public. Furthermore,
the players alleged that the NFL had neither adopted
rules to reduce head injuries nor implemented safety
guidelines to properly protect players following concussions.
The settlement agreement reached between the NFL
and its retired players has been structured to last
65 years. According to court documents, the NFL has
agreed to fund medical examinations of all former
professional players, as well as medical research,
litigation expenses and administrative expenses to
establish a settlement claims programme. The following indemnity payments were additionally defined:
−−Persons who have or develop ALS (Lou Gehrig’s disease), Parkinson’s disease, Alzheimer’s disease or
any other severe cognitive impairment will receive
up to US$ 5m.
−−Up to US$ 4m will be paid if a chronic traumatic
encephalopathy (CTE) is diagnosed after death.
−−Up to US$ 3m for players with dementia.
Although many may argue that the high salaries
earned by professional athletes may compensate
them for the physical risks they take, this is not the
case in American college or amateur sports. College
athletics has also become a multi-billion-dollar industry. The problem is that college athletes are considered amateurs and therefore do not receive a salary.
Instead, the revenues generated by college sports are
used to finance college operations, boost a college’s
image or applied towards scholarships.
College athletes also seeking litigation
College athletics in the United States is organised by
the National Collegiate Athletic Association (NCAA).
As with the lawsuits filed against the professional
sporting leagues (e.g. NFL, NHL), many active and
former college athletes have taken legal action
against the NCAA in order to obtain compensation.
Athletes are also pushing for changes in the rules,
such as ensuring that if a player has a violent collision
or sustains a concussion, certain rules are followed
and time is allowed before a player may resume
playing.
The NCAA reached a preliminary settlement with
the plaintiffs in the summer of 2014, allocating over
US$ 70m to screening and another US$ 5m to
research. It proposed the establishment of a 50-year
medical monitoring programme for all active and former NCAA athletes in any sport and would oblige the
NCAA to order its member schools to make changes
to their concussion management policies and institute return-to-play guidelines. Several million current
and former athletes may stand to benefit from this
settlement proposal. In December 2014, a federal
judge denied preliminary approval of the proposed
settlement but encouraged the parties to continue
their settlement discussions.
Sports-related concussions at high schools are also
attracting increasing attention. Estimates indicate
that some 35 million US children and adolescents
participate in sports, including more than 7 million at
high schools. Every year, children and young adults
make roughly 250,000 emergency room visits as a
result of brain injuries sustained during sports and
recreational activities. The real figure is no doubt
higher, as some injured athletes do not seek any medical help, or consult their family doctor instead of a
hospital. One need not search far to find stories of
young athletes who have either sustained permanent
31
damage following concussions or have died as a
result of a head trauma. The CDC along with numerous sporting leagues, insurers and parent-led initiatives have launched awareness campaigns, created
websites and published booklets to inform student
athletes, parents and coaches about the symptoms
associated with concussions.
Criticism of FIFA rules
The consequences of high school sports are also a
matter for the judiciary. In late August 2014, a class
action lawsuit was filed in the United States District
Court of California against US soccer organisations
and FIFA (Fédération Internationale de Football
Association), soccer’s international governing body.
According to the complaint, nearly 50,000 high
school soccer players in the United States sustained
concussions in 2013. It alleged that the defendants
had acted negligently in monitoring and treating head
injuries. Other lawsuits have also been filed against
school districts and coaches who have allegedly
ignored the risks associated with concussions.
The 2014 World Cup in Brazil clearly showed that,
sooner or later, the issue of concussions must also be
addressed by professional soccer leagues. A number
of high-profile cases occurred at the World Cup: during the group stage, the knee of England’s Raheem
Sterling struck the head of Uruguay’s Alvaro Pereira
at full speed, leaving him motionless. Despite having
to be carried off the field looking punch-drunk, he
refused to be substituted and returned to the game.
During the semi-final match between Argentina and
the Netherlands, Javier Mascherano of Argentina
collided in the air with a Dutch player. He too was
evidently temporarily befuddled, but remained in the
game.
In the final, Germany’s Christoph Kramer’s head collided violently with an opponent’s shoulder. He continued playing for 15 minutes in a dazed state before
being taken off the field. In Pereira’s case, the World
Players’ Union accused FIFA of having failed to adequately protect him. The organisation demanded
that FIFA review its guidelines on concussions during
soccer matches and develop possible changes in
the rules.
32
A matter for politicians
Even the White House has turned its attention to the
subject, in view of the large number of lawsuits and
growing awareness of the problem. President Barack
Obama hosted “The Healthy Kids and Safe Sports
Concussion Summit” at the White House on 29 May
2014. During the summit, the following commitments
were made:
−−The NCAA and the US Department of Defense
jointly committed US$ 30m for concussion education and the most comprehensive concussion study
to date, involving up to 37,000 college athletes.
−−The NFL committed US$ 25m in new funding over
the next three years. These funds will be used to
create health and safety forums for parents and to
hire more trainers (medically trained staff) for high
school games.
−−The National Institute of Standards and Technology
will invest US$ 5m over the next five years to
develop more advanced materials that can provide
better protection against concussions.
Manufacturers of helmets have also come under
attack because the protection supposedly afforded by
their equipment may be inadequate or unable to provide the level of protection previously thought by
plaintiffs. Although the wearing of a helmet is recommended to prevent skull fractures and brain contusions, recent studies have revealed a number of
limitations. The Florida Center for Headache and
Sports Neurology has concluded that helmets provide
limited protection for blows to the side of the head,
which can cause concussions. Lawsuits against manufacturers of helmets have accused them of acting
negligently, designing defective helmets, failing to
draw attention to the dangers and engaging in misleading marketing.
Will concussions impact insurance carriers?
Chronic traumatic encephalopathy (CTE)
The implications of concussion litigation concern not
only athletes, sporting organisations and manufacturers of safety equipment, but also their respective
insurance covers. Numerous insurance carriers are
currently involved in coverage litigation with their
insureds (NFL and/or NHL and/or helmet manufacturer Riddell). These actions seek to determine what
coverage, if any, is available to the insureds for concussion-related claims. The NFL, for instance, seeks a
determination of coverage for the defence of the class
action litigation and settlement against its primary
and excess liability carriers during the period
1968–2012.
−−Chronic traumatic encephalopathy is a neurodegenerative disease that is a long-term consequence of
single or repetitive head injuries. The exact mechanism for CTE is unknown. To date, the number or
type of hits to the head needed to trigger degenerative changes of the brain is unknown.
Determining whether or not a player’s injury is actually related to a specific concussion injury presents
many challenges since the alleged injury may not be
diagnosed until many years after participation in a
sport has ended.
The coverage litigation between the NFL and its carriers has been inactive (stayed) while the proposed
class action settlement is approved. Once the class
action settlement is approved, many insurers and the
NFL will likely commence the litigation of various
coverage issues related to the underlying concussion
claims.
Finally, now that the lawsuits brought by professional
athletes have focused media attention on the seriousness of concussions, there are likely to be repercussions felt off the playing field as well. As more
becomes known about head injuries and their consequences, additional claims may be filed by accident
victims, injured employees or even, potentially, members of the armed forces alleging injuries from a prior
head trauma. Claimants who have sustained a concussion or other head injuries may base their lawsuits
and amount of damages claimed on the latest scientific research and court rulings. Risk managers and
insurance carriers should therefore pay close attention to what is being done by their organisations to
protect athletes, employees, customers and others
from potential concussions.
>> Further information at
www.cdc.gov/concussion/
http://dvbic.dcoe.mil/dod-worldwide-numbers-tbi
www.army.mil/tbi
−−There is no treatment, and definitive diagnosis is
made by studying the brain tissue after death.
−−Clinical presentation of CTE includes cognitive
impairment and neuropsychological symptoms
(memory loss, confusion, impaired judgement,
impulse control problems, aggression, depression,
anxiety, suicidality). In addition, Parkinsonism, and,
eventually, progressive dementia are described.
These symptoms often begin years or even decades
after the last brain trauma or end of active athletic
involvement.
−−CTE is closely linked to athletes who participate in
contact sports like boxing, American Football, soccer, professional wrestling and hockey. Aside from
repeated head trauma, risk factors include the presence of certain genotype (ApoE3 or ApoE4 allele),
military service and old age.
Dr. Alban Senn, Centre of Competence Medical,
UW & Claims Consulting
OUR EXPERT
Travis D. Coleman is a US licensed
attorney. He works as a North
American liability underwriter for
Corporate Insurance Partner in
Munich, Germany.
[email protected]
33
NATURAL HAZARDS
Severe hailstorms –
A risk of change ?
In 2013, large hailstones caused heavy
damage in Germany. Recent studies assume
that continued climate change will be associated with a trend towards intensive thunderstorms including hail in many regions.
Eberhard Faust and Peter Miesen
Germany can experience particularly severe hailstorms when the upper air flow over western Europe
forms a trough-like loop extending far to the south,
bringing warm, moist air from the western Mediterranean and subtropical Atlantic northeast to central
Europe. Under the influence of bad weather fronts
within the range of this trough, intense thunderstorms can develop and move over Germany with the
air flow from the southwest to the northeast. Such
weather conditions prevailed on 27 and 28 July as
well as on 6 August 2013.
Losses and loss drivers of the severe weather in
summer 2013
The first hailstorm on 27 July moved along a corridor
from the Ruhr area to Hanover and Wolfsburg, with
hailstones up to roughly 8 cm in diameter. A storm on
28 July produced hailstones of similar size along a
path from Villingen-Schwenningen to Schwäbisch
Hall. Hailstones with a diameter of up to 14 cm –
larger than any previously encountered in Germany –
were recorded near Undingen (Swabian Alps) during
the hailstorms affecting Saxony, Baden-Württemberg
and Bavaria on 6 August.
Heavy rain on the following day was a major loss
driver in the hailstorm corridor of southwestern
Germany on 28 July, as shattered roof tiles exposed
the interior of buildings to the rain. Photovoltaic
systems and solar thermal energy systems were
likewise unable to withstand hailstones measuring
up to 8 cm in diameter. The horizontal element in
the hailstones’ trajectory led to severe losses as the
plaster on many houses with external wall insulation was knocked off right down to the reinforcing
fabric inside.
Following a trajectory which also included a horizontal component due to strong storm gusts,
these large hailstones caused enormous damage
to roofs, façades and vehicles in densely populated areas. The storms on 27 and 28 July alone
caused an insured loss of €2.8bn (€3.6bn overall
loss), while the events on 4 to 6 August contributed a further loss of €0.4bn (€0.6bn overall loss).
Large hailstones can cause serious
damage. The hailstones in Undingen,
Germany, on 6 August were up to
14 cm in diameter.
35
NATURAL HAZARDS
1
5
2
3
1
Newer, well-insulated façades with thin
finishing coats were more susceptible to hail.
2Rain easily found its way into buildings
through the shattered roofs.
3In numerous storage yards, moisture seeped
in through shattered car windows, causing
serious damage to the interior and electrical
systems.
4
4Standby agreements with warehouse owners
permitted rapid and efficient inspection of
the damaged motor vehicles by insurance
companies.
5Hoarding elements, roller shutters and
façades, such as here in Reutlingen,
Germany, were seriously damaged or
destroyed by hail.
36
NATURAL HAZARDS
What mainly stands out when looking
back at the loss profiles in 2013 is the
size of the hailstones and their potentially high kinetic energy on impact.
The finishing coat on such compound heat insulating
systems is much thinner than that on older façades
and therefore less resistant to hail. Typical damage to
vertical surfaces also included façade elements, such
as fibre cement slate tiles, glass on hoardings, roller
shutters and external sunscreens.
Marine and motor insurance was also affected, as
numerous vehicles were damaged in the parking lots
of car showrooms and particularly in the car makers’
large storage yards. More than 10,000 vehicles built
by a car manufacturer in Wolfsburg were damaged on
27 July, and storage yards with several thousand vehicles were also affected in the Zwickau area. A storage
yard in France sustained a particularly large loss in
late July: water penetrating through windows shattered by hailstones damaged the electrical systems
and interior of the vehicles, thus resulting in high
repair costs; around 80% of the vehicles were a total
write-off.
What mainly stands out when looking back at the
general loss profiles in 2013 is the size of the hailstones and their potentially high kinetic energy on
impact, causing major damage in densely populated
areas. In several cases, the damage was augmented
by moisture entering buildings following the initial
damage caused by hail.
New roofs displayed considerably greater resistance
than old roofs. The trends observed regarding the susceptibility to damage of exterior walls and superstructures are also important. The following elements in
particular are loss drivers when large hailstones are
involved: solar thermal energy and PV systems, exterior insulation with thin finishing coats and other easily penetrated façade elements, as well as less robust
external sunscreens and roller shutters. Studies in
Switzerland have also indicated greater vulnerability
in recent decades, especially in the case of office
buildings, due to the use of roller shutter systems and
new metal or plastic façade materials.
The insurers’ claims management and particularly
their contingency planning for mass losses proved
effective in summer 2013: claims were settled and
paid out without delay. By and large, coordination and
deployment of the repair services (roofing contractors, scaffold contractors) proceeded smoothly, considering the large number of claims within a relatively
small area.
Is the hazard changing?
With a view to risk management, the enormous losses
raise the question of whether Europe’s exposure to
severe hailstorms is changing. This has been investigated in a number of studies focusing on northern
Italy (Trentino), France and southwest Germany in
recent years.
In France, a 21-year time series of measurements from
hail pads was used for this purpose. Each hail pad
comprises a polystyrene panel measuring 42 x 30 cm
and 2 cm thick which is dented by hail. The size and
kinetic energy of the hailstones can be calculated
from the size of the dents. With regard to the annual
number of hail events per hail pad, no trend was
observed for a field of 457 units in the Atlantic/Pyrenean region. However, a significant upward trend was
established as regards the total kinetic energy per
hail event, and with regard to the aggregate total
kinetic energy per station and year. These increases
occur primarily in spring (April/May). The significant
trend in hail intensity during the period 1989 to 2009
was in the region of 70%. The validity of these findings is limited due to the very short time series of just
two decades (Berthet et al., Atmospheric Research,
2011).
Similar findings were reported by a study using hail
pads in northern Italy. For the period 1975 to 2009,
i.e. 35 years, a significant increase in the total kinetic
energy of extreme events (not more than 10% of all
cases) was observed in the region of approximately
1.7% per year; over a period of 35 years, this consequently meant an increase of 59% (Eccel et al., International Journal of Climatology, 2012).
37
NATURAL HAZARDS
Greater risk awareness would
not go amiss
Dr. Jochen Tenbieg, head of Global Claims at Allianz SE,
explains the insurer’s handling of major natural hazard
events and how cover for losses due to natural hazards
could change.
Severe hailstorms cost German
insurers billions last year. Claims
management was sorely tested by
the immense number of claims
reported within a very short space of
time. What is your primary focus
after such an event?
The most important thing is that we
were once again able to show our
clients that we are a reliable partner
providing speedy assistance, even in
such exceptional circumstances.
Although hail normally only causes
damage in geographically small
areas, the number of claims reported
is usually too large to be handled by a
single claims department alone. We
must therefore take steps to spread
the burden over many shoulders and
increase our claims handling capacity accordingly. Despite the massive
workload, everyday business continues as usual and should suffer as little as possible. For this reason, we
must find out quickly just how many
claims are to be expected in the days
following an event. That is the only
way to ensure our high service standards even in exceptional circumstances. This estimate is undertaken
by a team of actuaries and members
of the individual departments.
38
To what extent can an insurer prepare for such a mass event?
Allianz Germany has drawn up contingency planning for mass losses.
This planning becomes effective as
soon as the number of claims and
magnitude of the event exceed certain threshold values. Depending on
the severity of the event, a carefully
defined crisis management is then
set in motion. Even before a potential
major event occurs, we receive
severe weather alerts connected with
the risks in our portfolio. Model simulations help us to estimate the prob
able loss burdens to be expected as a
result of the event. This allows us to
prepare our staff or expert partners
accordingly and to establish where
additional staff are likely to be
needed. In motor business, we have
concluded standby agreements with
the owners of large warehouses,
which they then place at our disposal
following a loss event so that we can
inspect the damaged vehicles.
To what extent can claims be handled individually in such exceptional
circumstances?
Every client rightly expects to be
treated individually in keeping with
his needs. From a loss minimisation
vantage too, there is little point in
settling claims on a flat-rate basis.
This is because providers of repair
services often adjust their prices at
short notice to meet the high demand
following mass losses. If we, as insurers, do not proceed with great care
and responsibility, this will have a
Dr. Jochen Tenbieg is head of
Global Claims at Allianz SE
Holding. The quality of claims
management and identifying
trends are principal aspects of
his work.
direct impact on loss expenditure, as
happened following the severe hailstorm over Munich in 1984: at that
time, the average claim settlement
was high because the insurers were
ill-prepared and followed a very generalised procedure when assessing
claims. Insurers are now better
equipped to deal with such events
too, and can handle each claim as a
single loss despite the large numbers
involved.
Were you surprised by the magnitude of the damage to building
façades?
Not at all. This is a side effect of
homeowners’ efforts to upgrade their
buildings in conformity with energy
standards. As a rule, retrofitted insulation systems have only a thin plaster finish which is easily penetrated
even by medium-sized hailstones,
provided that the wind is strong
enough. This phenomenon will be
encountered much more frequently
NATURAL HAZARDS
in future as the intensity of these
events increases due to climate
change and the number of insulated
buildings mounts. This makes buildings more susceptible to hail damage. The same also applies to solar
power systems, which effectively
cannot be protected without reducing their efficiency or driving the
costs for the solar panels sky-high.
Will this affect pricing?
Building façades and solar power
systems may well become factors of
relevance for pricing in future; this
possibility cannot be ruled out. The
associated higher claims expenditure
would consequently have to be
reflected in the calculated price. In
addition, climate change will also
lead to changes in storm and hail
exposures in natural hazard zoning.
Car makers’ outdoor storage yards
sustained extensive hail damage in
2013. Can the vehicles in such storage yards not be protected more
effectively?
We are constantly considering how
to advise clients to take more effective precautions. Despite just-in-time
production, however, it should be
remembered that the vehicles awaiting transport in outdoor storage
yards often comprise the output of
several days. These yards are equal
to several football fields in size. We
could demand that a roof be erected.
But every client will weigh up exactly
whether the associated costs are also
reasonable. Other forms of protection, such as covering the vehicles
with sheeting, are of little or no use
against severe hailstorms. All that
remains is to locate the outdoor storage yards in areas with the least possible exposure to natural hazards.
Nowadays, however, the weather has
become so unpredictable that severe
loss events occur even in previously
safe regions. This is where we are
needed as insurers.
Although losses due to storms,
floods and hail are increasing, most
Germans consider the risk associated with these natural hazards to be
slight where they themselves are
concerned. How can we heighten
public awareness of the risks?
It is impossible to forecast hailstorms
reliably. Is the so-called inoculation
of clouds with silver iodide from aircraft a suitable means of preventing
the formation of extremely large hailstones?
To the best of my knowledge, there is
no empirical scientific proof showing
the efficacy of this method. The main
problem is surely that certain hail
conditions cannot be controlled with
just one aircraft and that additional
aircraft cannot be flown in from other
locations at short notice. However,
every inoculated thunder cloud that
rains without forming hail is certainly
a bonus.
It would be good if people were more
aware of such events and of the value
of natural hazard covers. The basic
problem is that most people subjectively perceive a flood or hailstorm as
a unique event. Objectively, however,
we are now finding that two once-ina-hundred-years events can occur
within the space of a decade.
Ultimately, it is probably a question
of how the event is actually experienced. As people’s awareness of the
risks increases, so does their readiness to demand insurance cover and
to pay a reasonable price for such
cover.
A joint study by insurers and climate
researchers has found that losses
due to storm and hail could increase
considerably in the next few decades.
What does this mean with regard to
the insurability of these risks?
Losses due to natural hazards will
remain an insurable risk. In the
medium term, however, it may be
advisable to set up more precisely
defined zones to ensure riskadequate pricing in the future.
Certain changes will be inevitable,
however, in view of the evident
increase in local severe weather
events in regions formerly considered “safe”. I doubt that the prices
charged for such cover can remain
constant, as the proportion of losses
due to natural hazards resulting from
climate change will presumably
increase.
39
NATURAL HAZARDS
Projection of losses due to summer storms/hail
1984 to 2008
Average claims rate
Germany: 0.034 per mille
2011 to 2040
Mean change: +0.005
(approx. +15%)
2041 to 2070
Mean change: +0.016
(approx. +47%)
Claims rate
Difference in claims rates
Difference in claims rates
Projected change
in the mean
annual loss ratio
storm/hail in
summer, based
on the reference
period 1984 to
2008
0.00
0.05
0.10
0.15
Projected change in summer claims rates for
storm/hail (homeowners’ comprehensive
insurance) for the periods 2011 to 2040 and
2041 to 2070 as compared to the reference
period 1984 to 2008. The geographical subunits are defined through similar loss characteristics and do not correspond to any administrative regions or common insurance regions.
–0.01 0.00 0.01 0.02 0.03
Source: Final report on the GDV project “Impact
of climate change on the loss situation in the
German insurance industry”, December 2011)
In southwest Germany, increases were also observed
with regard to the number of hail days, convective
thunderstorm energy for severe events and other
thunderstorm-related variables (Kunz et al., International Journal of Climatology, 2009).
Although, from a meteorological standpoint, the various studies considered different atmospheric parameters, it has recently been postulated that higher
moisture levels in the surface atmosphere could prove
to be a significant factor driving these changes in
Europe (Mohr and Kunz, Atmospheric Research,
2013).
As the atmosphere becomes warmer, it can absorb
more water vapour, at a rate of approximately +7% per
1°C rise in temperature in a vapour-saturated environment. Vapour-laden air rises in convective processes
leading to the formation of thunderstorms, as it has a
lower specific weight than the drier ambient air.
40
–0.01 0.00 0.01 0.02 0.03
Such increases in storm intensity, which were
observed in isolated regions to the north, south and
west of the Alps, are matched by comparable findings
in other parts of the world. In the United States, an
increase in the year-to-year variability of substantial
normalised losses due to severe thunderstorms was
observed in the period 1970 to 2009, coinciding with
a corresponding increase in the variability of meteorologically quantifiable situations with a tendency to
produce severe thunderstorms. In keeping with the
holistic approach, the losses were aggregated for the
perils hail, tornado, storm gusts and flash floods
(Sander et al., Weather, Climate, and Society, 2013).
Initial studies have already been undertaken for central Europe with projections of future insured losses
due to summer (hail) storms as climate change progresses. For agricultural insurance in the Netherlands,
claims due to hail covered under outdoor farming
insurance are projected to increase by 25% to 29%,
while claims covered under greenhouse horticulture
insurance are projected to rise by 116% to 134% given
a temperature increase of +1°C. For a rise of +2°C,
claims are projected to increase by 49% to 58% or
219% to 269% if portfolios remain unchanged
(Botzen et al., Resource and Energy Economics,
2010).
NATURAL HAZARDS
According to a joint project undertaken by the German Insurance Association (GDV) and climate
research institutions, a 15% increase in the annual
claims rate of homeowners’ comprehensive insurance
due to hail-dominated summer storms has been projected for the period 2011 to 2040 as compared to the
reference period 1984 to 2008, and an increase of
47% for the period 2041 to 2070 (Gerstengarbe et al.,
2013). A conclusion which is consistent with these
results was reached by Sander in a 2010 study based
on climate models, according to which severe thunderstorms will become slightly less frequent as
climate change progresses, but will be more severe
when they are triggered.
All the information available today from the various
studies indicates that the trend towards more severe
hailstorms, which is already being observed in some
parts of Europe, will most probably continue as the
climate continues to change. For North America,
studies based on climate models have already shown
that the number of situations leading to severe thunderstorms will increase considerably as climate
change continues. One conceivable reason for this
accumulation, which has already been demonstrated
in a number of projections, is the widespread increase
in surface moisture in the northern hemisphere. This
is due to the increasing evaporation of warmer sea
surface water and the growing capacity of air masses
to retain more moisture as a result of the rise in temperature.
With regard to future changes in thunderstorm activity due to climate change, the recently published Fifth
Assessment Report of the Intergovernmental Panel
on Climate Change states: “Overall, for all parts of the
world studied, the results are suggestive of a trend
toward environments favouring more severe thunderstorms, but the small number of analyses precludes
any likelihood estimate of this change “(IPCC, Fifth
Assessment Report, 2013).
Building materials must become stronger
In addition to potentially inauspicious changes in
exposure, certain structural parts, such as solar power
systems or façade elements, are becoming more susceptible to damage; for this reason, the insurance
industry supports efforts to improve the strength and
resistance of construction materials and building
shells. One such initiative in Europe is the “Elementary Safety Register Hailstorm” run by the Swiss Cantons, which establishes the hail resistance of various
materials used in building shells.
The research centre of the Insurance Institute for
Business & Home Safety (IBHS) in South Carolina,
USA (www.disastersafety.org) is another initiative
which carries out experiments studying the resistance of different building shells and materials to wind
and hail. Recent claims experience, including that of
summer 2013 in Germany, and the findings of climate
research indicate that it is vitally important to focus
more strongly on a hazard which, driven by adverse
changes in exposure, vulnerability and natural hazards, will continue to increase throughout Europe and
North America in future.
OUR EXPERTS
Dr. Eberhard Faust is Executive
Expert on natural hazards, climate variability and change in
Munich Re’s Geo Risks Research/
Corporate Climate Centre.
[email protected]
Peter Miesen is a senior consultant for meteorological risks in the
Corporate Underwriting Unit. He
is responsible for developing and
validating storm models and loss
estimation following major storm
events.
[email protected]
41
engineering
Critical interfaces
Building power plants is a complex business requiring adherence to the
highest-possible quality standards. Recent losses have highlighted the
potential risks involved when a number of different contractors with varying levels of experience are involved in the planning, implementation and
successful testing of a power plant’s myriad of different components.
Marc-Tell Feißt and Michael Gibbons
Quality assurance is a matter of fundamental importance in major projects, such as the construction of
power plants. It is the only way to ensure that absolutely all the components supplied by different subcontractors operate and fit together faultlessly. This
applies not only to the main components, but also to
auxiliary and back-up systems, including the emergency power supply.
Difficult coordination
The owners of a power plant can essentially choose
between the following options when building a new
plant. They can either contract a single OEM (original
equipment manufacturer) or a consortium to build a
turnkey plant as part of a complete package. In this
case, the contracted OEM or leader of the consortium
will be responsible for quality assurance. Alternatively, the owner can assume responsibility for procuring the individual power plant components or contract
various third-party OEMs to build them. In this case,
however, the advantage of purchasing components at
lower cost is offset by the major effort involved in
coordinating the individual works at the respective
interfaces. A high level of experience and a fundamental understanding of how a power plant works is
required here.
Normally, the construction of major plants is governed
by international quality standards. The standards
stipulate construction and final acceptance tests for
the individual elements making up the project. These
tests certify that the components have been designed
and installed as specified in the planning documents.
Final acceptance testing is performed as soon as the
construction work for an individual system has been
completed, such as the condensate or feed water
supply, drainage system or electrical connection of
mechanical components. Provided that the tests do
not reveal any defects, the next step in the process is
initiated when the system is commissioned. In other
words, commissioning is an essential element of quality assurance. It proves that the system complies with
the requirements of process engineering.
42
Tests reveal weaknesses
Once all the individual systems have been tested for
proper functioning, the plant as a whole must also
pass various tests for its final acceptance. Among
other things, this includes emergency shutdown of
the main components by simulating error messages,
load shedding by switching over to station service
(automatic changeover to station service load), simulation of a blackout (failure of the supply system) or
restarting the plant following a total outage/blackout.
The purpose of such tests is to ensure that all systems
are working as intended in the planning and fulfil the
safety requirements. In this way, potential weaknesses due to planning errors or defective workmanship can be detected in good time.
Recent losses highlight the risks involved
However, some recent losses have highlighted the
potential risks involved when a number of different
contractors with varying levels of experience are
involved in a complex power plant project. A combined-cycle power plant experienced two double-digit
million dollar losses due to the faulty design of the
electrical emergency power supply. The first loss
occurred during commissioning when an employee
inadvertently loaded an electrical switch. This caused
a short-circuit in the AC circuit and subsequently also
in the DC circuit which hosted the turbine control system, back-up batteries and emergency oil lubrication
pump. Unfortunately, the emergency pump was not
hardwired to the battery banks, as per the OEM recommendations, and was also left without power. This
resulted in a major loss as the turbine tripped and ran
down from 100% load without lubrication, causing the
bearings to overheat. This necessitated expensive
overhaul-type repairs to the rotor and an extensive
period of business interruption.
engineering
Technologies and infrastructures
that must work together properly are
distributed across a large area. This
makes these types of power plants
prone to design and workmanship
errors where the experience of contractors or the coordination of the
construction process are not up to the
required standards.
CSP power plant
6 a.m.
9 a.m. 12 noon 3 p.m.
6 p.m. 9 p.m. 12 mid. 3 a.m. 6 a.m.
Steam
turbine
Generator
“Hot“
salt tank
Cooling tower
“Cold”
salt tank
Solar field
Storage system
Power block
43
engineering
Plant disabled by a further power outage
As fate would have it, a second loss occurred nearly
two years later involving the same turbine and electrical system when a lightning strike to the external
main line caused transients to enter the AC circuit.
This resulted in conflicting signals in the digital control system (DCS) and the turbine’s control system,
leading to another complete loss of AC and DC power.
At the time of the second loss, the emergency oil
lubrication pump was still dependent on the DC
power circuit, resulting in almost identical damage to
the turbine’s rotor and a similar period of business
interruption.
Experts identified several design faults in the control
circuits. These included non-compliance with the turbine manufacturer’s requirements, interdependence
of the AC and DC circuitry, and dependence of emergency systems on the DCS. The fatal flaw, however,
was that the emergency oil lubrication pump was not
hardwired directly to the battery banks. Defective
design and implementation of fundamental elements
of the back-up systems was the major contributing
factor in both losses, and highlights the importance of
contractor experience and the diligent implementation of applicable quality standards.
Questions to ask when assessing the risk
for power plant projects
What level of experience does the consortium, owner or OEM have (e.g. list of
reference projects)?
Is there any significant cost pressure due
to changes in economic conditions or
financial stability of a member of the
consortium/main contractor?
How are the interfaces between the different subcontractors being managed?
What quality standards are being used
for execution of the project, including
testing and commissioning of the main
components?
Are significant deviations from the OEM
plans and recommendations envisaged?
How experienced are the subcontractors
responsible for auxiliary and emergency
systems?
When building power plants, many different and
widely dispersed components must function
properly as a whole. The know-how and experience
of the individual subcontractors is therefore
particularly important. Even a minor disturbance in
one area can lead to disruptions and major losses in
other parts of the power plant.
44
engineering
Water hammer damages turbine
An operational loss involving a steam turbine, this
time in a concentrated solar power plant (CSP),
occurred during the overlap period between the construction policy’s extended maintenance coverage
and the operational policy. During routine maintenance, technicians discovered that several blades in
the low-pressure turbine were bent or twisted with a
random distribution. The most likely cause was identified as water hammer following the inadequate
drainage of condensate from the turbine. Careful
management of condensate drainage is particularly
important in CSP plants, as turbines start and shut
down relatively frequently. This occurs whenever there
is no direct sunlight and the stored heat energy has
been exhausted (e.g. during the night). The result is
that steam conditions change frequently and the
amount of condensate increases in the turbine.
In the loss adjustment process, experts agreed that
construction and operational factors probably contributed equally to the loss. Operational errors included the
lack of processes for manually emptying the drainage
pots and the lack of monitoring of steam conditions.
Design and erection problems included the lack of nonreturn valves, inadequate slope on drainage lines and
the inadvertent switching of drainage lines of various
thickness during the erection period.
Conclusion
The risk of loss largely depends on the contractors’
and subcontractors’ level of experience with power
plant technology, and the project’s management ability to coordinate the project in accordance with the
applicable quality standards. Even minor faults in
back-up or auxiliary systems can lead to major losses
in key machinery. When assessing a power plant risk,
underwriters should therefore establish whether the
contractors have sufficient expertise and know-how
to undertake the planning and construction of the
project. Effective management of the interfaces with
the various subcontractors is another critical point to
ensure that the various systems function properly in
combination so that the plant as a whole can
ultimately operate smoothly and without major losses.
It is strongly recommended that the leading insurer/
reinsurer closely monitors the risk throughout the
entire project, including permanent review of construction and commissioning programmes, as well as
the overall project timetable.
A number of factors ultimately caused the loss, with
faulty design and problems with the implementation
of major auxiliary systems playing key roles. The project also experienced a variety of other small and
medium-sized losses due to various factors. These
losses were spread across an immense variety of
machinery and plant infrastructure due to a combination of design and erection errors, pressure on costs
and lack of experience with the relatively new CSP
technology.
Our Experts
As a senior claims lawyer in the
Property Claims Management
Section for Global Clients/North
America, Michael Gibbons is
responsible for the management of
major engineering, power plant
and general industrial claims.
[email protected]
Marc-Tell Feißt has a degree in
engineering from a university of
applied sciences and specialises
in power plant risks (construction
and operation). He is an underwriter in our Global Clients/North
America Division at Munich Re in
Munich.
[email protected]
45
COLUMN
The consequences of increasingly
international loss scenarios
Tobias Büttner, Head of Corporate Claims at Munich Re
[email protected]
Cyber risks are not the only area
where today’s technology makes it
easier to cause losses with global
implications. Modern technology in
connection with the greater mobility
of ever increasing numbers of people
– be it for business or personal reasons – means that familiar losses
previously restricted to individuals
and specific regions can now assume
completely new dimensions.
We have frequently drawn attention
to the consequences resulting from
the growing internationalisation of
numerous loss scenarios, particularly
with regard to liability insurance.
Worldwide trade and tourism, international consumer protection, forum
shopping and a globally operating
plaintiffs’ bar are just a few of the
phenomena driving this development.
In 2014, public and media attention
was captured by two spectacular
international loss events: the disappearance of flight MH370 on its way
from Kuala Lumpur to Beijing in
March and the downing of flight
MH17 over the Ukraine en route from
Amsterdam to Kuala Lumpur in July.
The circumstances surrounding
the two cases are quite different.
Both, however, underline the tremendous importance of international
agreements and global cooperation
46
between nations, insurers and
insureds. At the same time, the two
loss events also raise a number of
important legal issues.
In the case of the Malaysia Airlines
aircraft which disappeared (MH370),
these primarily concern the immense
costs incurred for what has so far
been the costliest – and as yet unsuccessful – search in aviation history. To
what extent are search and rescue
operations appropriate in such a
case? How should the associated
costs be allocated to the nations concerned, the airlines and their various
insurers, particularly if the circumstances triggering the loss are never
clarified? What’s more, uncertainty
as to the cause and location of the
accident will also make it more difficult to establish jurisdiction and the
applicable law.
The downing of the Malaysia Airlines
aircraft (MH17) over the Ukraine, on
the other hand, clearly shows just
how easily regional political conflicts
and acts of war can now also harm
civilians from far distant regions. In
terms of liability law, the main area of
uncertainty is the applicability of liability limits and of rules governing
the burden of proof in Art. 21 of the
1999 Montreal Convention on airlines’ liability: limits to the airline’s
liability depend on the lack of negligence on the airline’s side, which
could for instance be based on the
choice of route, as well as whether
the crash was solely caused by a
wrongful act of a third party.
When it comes to compensating the
victims’ relatives, these two incidents
have once again highlighted the farreaching implications that the type of
passengers involved can have on the
amount of compensation. The age
and nationality of the victims are not
the only aspects that make a difference. The purpose of the flight is also
key, as entire families may be killed if
the trip was being undertaken for private reasons, while flights which are
primarily used by business travellers
mainly involve unaccompanied highincome professionals who not
uncommonly leave one or more
dependants.
© 2014
Münchener Rückversicherungs-Gesellschaft
Königinstrasse 107
80802 München
Germany
Tel.: +49 89 38 91-0
Fax: +49 89 39 90 56
www.munichre.com
(Munich Reinsurance Company) is a reinsurance company organised under the laws of
Germany. In some countries, including in the
United States, Munich Reinsurance Company
holds the status of an unauthorised reinsurer.
Policies are underwritten by Munich Reinsurance Company or its affiliated insurance and
reinsurance subsidiaries. Certain coverages are
not available in all jurisdictions.
Any description in this document is for general
information purposes only and does not constitute an offer to sell or a solicitation of an offer to
buy any product.
Responsible for content
Claims Management & Consulting:
Dr. Tobias Büttner, Prof. Dr. Ina Ebert
Natural hazards: Prof. Dr. Peter Höppe
Marine: Olaf Köberl
Aerospace: Dr. Achim Enzian
Claims: Dr. Paolo Bussolera,
Dr. Stefan Klein, Arno Studener,
Dr. Eberhard Witthoff
Picture credits
Cover: Thomas Peter/Reuters/Corbis
p. 1: Gerhard Blank
p. 2: Stringer/Brazil/Reuters/Corbis
p. 3 left: picture alliance/blickwinkel/A. Held
p. 3 right: Tim Clayton/30163924B/Corbis
pp. 5, 29: Illustration KircherBurkhardt
p. 6: Lee Jae Won/Reuters
pp. 8–11: Orla Conolly
p. 12: picture alliance/Joker
pp. 14, 22, 32, 41, 45: Foto Meinen
p. 15: Plainpicture/George Hammerstein
p. 17: DAC Beachcroft LLP
p. 18: Shannon Stapleton/Reuters/Corbis
p. 20: Rick Wilking/Reuters/Corbis
p. 25: Hartford Steam Boiler
p. 26: Rich Kane/Icon Sportswire
p. 34: picture alliance/dpa
p. 36: Peter Miesen
p. 38: Allianz Se
p. 46: Kevin Sprouls
Printed by
Gotteswinter und Aumaier GmbH
Joseph-Dollinger-Bogen 22
80807 München
Germany
Additional copies are available at a
nominal fee of €8. Please send your order
to [email protected]
All rights reserved.
Editor
Corinna Moormann
Group Communications
(address as above)
Tel.: +49 89 38 91-47 29
Fax: +49 89 38 91-7 47 29
[email protected]
ISSN 0940-8878
>>Read Topics Schadenspiegel where and whenever
you want:
Register for our free newsletter on our homepage to
access the latest issue of Topics Schadenspiegel
(English or German).
www.munichre.com/en/schadenspiegel
You will also find us at:
twitter.com/munichre
facebook.com/munichre
plus.google.com/115897201513788995727
youtube.com/user/munichrevideo
linkedin.com/company/munich-re
xing.com/companies/munichre
47
© 2014
Königinstrasse 107, 80802 München, Germany
Order number 302-08482
Not if, but how

PDF, 8.6 MB

Transcription

Similar documents

Topics Geo Naturkatastrophen 2013

(TOPICS Schadenspiegel 2/2013)

PDF, 6,8 MB

SIS News Germany - SIS Swiss International School